Re: Let people set host(no)ssl settings from initdb

From: David Fetter <david(at)fetter(dot)org>
To: "tsunakawa(dot)takay(at)fujitsu(dot)com" <tsunakawa(dot)takay(at)fujitsu(dot)com>
Cc: Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, PostgreSQL Development <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Let people set host(no)ssl settings from initdb
Date: 2020-01-17 20:15:29
Message-ID: 20200117201528.GK32763@fetter.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Fri, Jan 17, 2020 at 08:47:49PM +0100, David Fetter wrote:
> On Wed, Jan 08, 2020 at 02:53:47AM +0000, tsunakawa(dot)takay(at)fujitsu(dot)com wrote:
> > From: David Fetter <david(at)fetter(dot)org>
> > > > But I see two problems with the proposed approach: (1) initdb
> > > > doesn't support setting up SSL, so the only thing you can achieve
> > > > here is to reject all TCP/IP connections, until you have set up SSL.
> > >
> > > I don't believe any special setup is needed to require TLS for the
> > > connection, which is what this patch handles in a straightforward way.
> >
> > I think this feature can be useful because it's common to reject remote non-TLS connections. Eliminating the need to script for pg_hba.conf is welcome. Setting GUC parameters just after initdb is relatively easy, because we can simply add lines at the end of postgresql.conf. But pg_hba.conf is not because the first matching entry is effective.
> >
> > In terms of rejecting non-secure remote connections, should hostgssenc/hostnogssenc also be handled similarly?
>
> Yes, and they are in the enclosed patch.
>
> > > > (2) The default pg_hba.conf only covers localhost connections.
> > >
> > > As of this patch, it can be asked to cover all connections.
> >
> > + <term><option>--auth-hostssl=<replaceable class="parameter">authmethod</replaceable></option></term>
> > + <listitem>
> > + <para>
> > + This option specifies the authentication method for users via
> > fg
> > + TLS connections used in <filename>pg_hba.conf</filename>
> > + (<literal>hostssl</literal> lines).
> > + </para>
> > + </listitem>
> >
> > The relationship between --auth/--auth-local/--auth-host and --auth-hostssl/--auth-hostnossl is confusing. The former is for local connections, and the latter is for remote ones. Can we just add "remote" in the above documentation?
>
> Done.
>
> > Plus, you're adding the first option to initdb that handles remote connections. As the following execution shows, it doesn't warn about using "trust" for remote connections.
> >
> >
> > $ initdb --auth=md5 --pwprompt --auth-hostssl=trust --auth-hostnossl=trust
> > ...
> > syncing data to disk ... ok
> >
> > Success. You can now start the database server using:
> >
> > pg_ctl -D /tuna/pg2 -l logfile start
> >
> >
> >
> > I think we should emit a warning message like the following existing one:
> >
> > --------------------------------------------------
> > initdb: warning: enabling "trust" authentication for local connections
> > You can change this by editing pg_hba.conf or using the option -A, or
> > --auth-local and --auth-host, the next time you run initdb.
> > -
> > initdb: warning: enabling "trust" authentication
>
> Done.
>
> Best,
> David.

This time, with the patch attached.

Best,
David.
--
David Fetter <david(at)fetter(dot)org> http://fetter.org/
Phone: +1 415 235 3778

Remember to vote!
Consider donating to Postgres: http://www.postgresql.org/about/donate

Attachment Content-Type Size
v3-0001-Enable-setting-pg_hba.conf-permissions-from-initd.patch text/x-diff 17.0 KB

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Melanie Plageman 2020-01-17 20:25:49 Re: Parallel leader process info in EXPLAIN
Previous Message Paul A Jungwirth 2020-01-17 20:07:54 Re: range_agg